Mass Text Alert System Hacked in Major Security Breach
Hackers hijacked a major text messaging service, sending hundreds of thousands of scam texts to subscribers of New York state alerts, Catholic Relief Services, and the Fight for a Union political group.
Key Takeaways
- Hackers compromised Mobile Commons, a legitimate bulk texting platform
- Scam messages targeted subscribers of government and nonprofit alerts
- Breach lasted four hours before being contained
- Industry reports increased attacks on short code systems
Sophisticated Platform Takeover
While text scams are common, this incident marks a rare case where cybercriminals successfully took over an established, legitimate bulk messaging operation. Mobile Commons works with governments and progressive organizations to send public service announcements and fundraising texts.
Company Statement Reveals Attack Details
In a statement, Mobile Commons confirmed: “On the evening of Monday, November 10th, an unauthorized third party gained illegal access to our platform through what we believe was a spear phishing attack or similar social engineering method. The intruder’s access was active for a four-hour period ending at 12:10 AM on November 11th before being detected and removed. During this time, multiple attempts were made to send spam messages through our system. A limited number of these messages reached subscribers before our security protocols identified and shut down the malicious activity.”
Short Code Systems Under Threat
Organizations use companies like Mobile Commons because they’re vetted by the telecommunications industry and have access to regulated short code numbers. These 5-6 digit numbers are tightly controlled to prevent spam filtering when sending mass texts.
The U.S. Short Code Registry warned messaging platforms about increased hacker attacks. “Our monitoring teams have detected a notable increase in attempts by unauthorized actors to initiate account takeovers and originate unwanted or illegal text messages using Short Codes,” their email stated.
Scam Pattern Analysis
Despite having the capability to cause mass panic, the hackers sent routine scam variations. Messages from compromised accounts of New York state, Catholic Relief Services, and Fight for a Union all referenced fake transactions and directed users to call the same 888 number, which is now disconnected.
